U.S. Data Protection According to Safe Harbor: Changes after Decision by German Regulators
Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer) and Alma Lena Fritz (attorney at law).
The so-called “Düsseldorf Group” made a decision this April regarding the legality of data transfers from Germany to companies in the U.S. that have agreed to the Safe Harbor Principles. This article will explain the consequences that this decision will have on the practice of data transfers.
What is the “Düsseldorf Group”?
The Düsseldorf Group is a group of data protection regulators specializing in corporate issues (so-called “non-public entities”). On April 29, 2010, the Düsseldorf Group issued a decision about data transfers in terms of the Safe Harbor Treaty. The decision by the Düsseldorf Group includes, among other things, stricter guidelines imposing additional obligations on companies during data transfers to U.S.-based companies with Safe Harbor certification.
What is the general situation for exporting data out of Germany?
According to section 4b and c of the German Federal Data Protection Act, transferring data from German companies to foreign companies is not a problem as long as these companies are located in the European Union or the European Economic Area (Norway, Iceland, and Liechtenstein). If the data is transferred to a company in another country, it is necessary to examine separately whether the entity that will receive the data has a reasonable level of data protection (for instance, so-called “EU standard contract clauses” or binding group-wide data protection rules can be used in specific cases).
Reasonable level of protection defined by EU Commission for many countries
The EU Commission has already defined the reasonable level of data protection for the countries Canada, Argentina, Switzerland, Guernsey, and the Isle of Man based on the legal environment for the entire country. If data is transmitted to another country that has not been officially recognized by the EU Commission, a reasonable level of protection must be established for the specific case.
U.S. as an exception
Based on close trade relations with the United States, a separate solution has been created by the EU although a reasonable level of data protection has not been established by the EU Commission for the U.S. itself. Based on the Safe Harbor Treaty, companies in the U.S. can be certified by a U.S. agency as a “company with a reasonable level of data protection.” The companies must agree to the Safe Harbor Treaty and formally submit to the regulations established therein on the handling of personal data. The German data exporter may then transfer data to this U.S. company (of course, only if the transmission is otherwise permitted by data protection laws).
What was the situation before?
The following legal situation used to apply to German data exporters: For data to be transferred to a company in the U.S. that had agreed to the Safe Harbor Treaty, the data transfer was generally permitted under section 4b and c of the German Federal Data Protection Act. Therefore, the German data exporter did not have to worry about sanctions. Data could be transferred through the Safe Harbor Treaty without agreeing to EU standard contract clauses or corporate data protection guidelines. This solution was easy for companies in the U.S. as well: agreeing to the Safe Harbor Treaty was only a one-time act that could then be applied to all desired data imports into the U.S. by the company.
Safe Harbor under fire
The experience of German data protection regulators with the Safe Harbor Treaty over a ten-year period, however, revealed enormous data protection deficits. Specifically, there has been practically no oversight or monitoring of compliance with the Safe Harbor Provisions by government officials. A study at the end of 2008 uncovered and documented major deficits.
In particular, the findings showed that many companies say that they have been certified under Safe Harbor without actually having agreed to it. In addition, there has been a widespread lack of compliance with the minimum requirements of the treaty. The findings also showed that during these ten years only a single case was ever examined by a court. Therefore, a reasonable level of data protection has de facto not been ensured.
What has changed now?
According to the decision by the Düsseldorf Group, German companies that transfer data to U.S.-based companies must now observe the following procedure: If data is exported from Germany to the U.S., then the data exporters are obligated to actively review compliance with the minimum standards of data protection laws even if the U.S. company receiving data has agreed to the Safe Harbor Treaty.
The Düsseldorf Group has also explained in the decision its understanding of what an active review means:
1. Written documentation of agreement to the treaty must be presented
First, written documentation must be presented to the German data exporter stating that the company has in fact agreed to the Safe Harbor Treaty. This documentation may not be older than seven years and must include the substantial obligations of the Safe Harbor Treaty. Receipt of this confirmation should be carefully documented because the responsible party is obligated to present it at the request of data protection officials.
2. Verification of compliance with notification duties must be obtained
In addition, the German data exporter must obtain verification from the potential data recipient that the data recipient has complied with notification duties to the affected party that have been established in the Safe Harbor Treaty itself.
Notification duties under Safe Harbor
According to these duties, the company must notify the subjects affected by the data transfer about the purpose for which data will be collected, how they can contact the organization in the event of any questions or complaints, what types of third parties the data will be shared with, and what means are available to private individuals so they can limit the use and dissemination of the data.
The responsible party must also be able to verify to regulators that this has taken place.
3. Violation of Safe Harbor should be reported to regulators
The Düsseldorf Group also recommends that a violation of the Safe Harbor Principles be directly reported to regulators. But their decision does not indicate that this is obligatory.
German data exporters now face increased fines
The recommendations contained in the regulators’ decision have now become de facto requirements for data transferred to the U.S. Violations of the German Federal Data Protection Act can result in fines of up to €300,000.00, any profits exceeding that amount can be seized, and claims for compensatory damages can be filed. The liability risk is therefore relatively high.
Recommendations
It is absolutely necessary to meet the requirements of the Düsseldorf Group as indicated above. Data protection regulators at the state level as a rule adhere to the committee’s opinion very closely.
Guaranteeing data protection not only formally but in practice as well
To guarantee secure data protection standards not only formally but in practice as well, we recommend that companies take additional data protection steps, for instance agreeing to contractual fines to guard against any loss of image caused by negative press in the event of “data protection scandals” (the exact amount of damage is frequently difficult to document in such cases).
Summary
German companies that export personal data to U.S. companies with Safe Harbor certification must now comply with the expanded regulations discussed in the article (written documentation of agreement to Safe Harbor, verification of compliance with notification duties, any duties to inform regulators, etc.).